Backdoored Ransomware for Educational Purposes

Here is an interesting article I found this week, it’s about how A researcher released two pieces of ‘educational’ ransomware which were secretly backdoored in order to own some advanced and prolific cyber-criminals a small number of scriptkiddies. There two pieces were HiddenTear (a ransomware with deliberately insecure cryptography designed to make decryption of files always possible), and eda2 (a supposedly flawless ransomware with a vulnerable C&C panel designed to enable retrieval of keys). Although releasing backdoored ‘educational’ ransomware might seem like a good idea, it’s really, really not.

Educational Purposes

I have a big problem with the word educational when it comes to malware: I get hundreds of emails per year asking for how to guides on writing fully weaponized malware (for educational purposes of course). You see the problem here is, what exactly do those educational purposes entail? There is no university degree in effective malware development, nor is freelance malware developer a viable legal career path. If they were planning on doing malware development for red teaming, they’d need a lot more skills than just basic malware development and could seek one of them many paths into pentesting based careers. What it really comes down to is, anyone using the term educational purposes is under no illusion that what they’re doing has next to no legitimacy at all. If I go into a hardware store to buy an nail gun for some DIY job, I don’t look the shopkeeper dead in the eyes and tell him “Don’t worry, I’m not using this to murder anyone”, because now he’s thinking either ‘wow, this guy has issues’ or ‘am I about to become complicity in a murder’. Generally speaking the people who aren’t guilty don’t feel the need to ensure everyone is aware of the fact, I get plenty of normal emails asking for help with malware in the context of some research they’re doing, rather than some badly worded emails from Russians using google translate.

On the flip side it’s no different; stating educational purposes when releasing some malware is really just another way of saying ‘look at this great malware I wrote, I have no legitimate reason to post it but I’m going to anyway’, and I would know because I’ve been guilty of this many times in the past. Now personally when posting any kind of malware proof of concept, I’ve made sure it’s restricted to the exact context of the demo (I don’t post a fully fledged banking trojan source code to demonstrate that malware can run on computers), and I also ensure that it would take more effort than it’s probably worth for someone to weaponize any code I posted (though in the past this has still happened one or two times *shakes fist at sky*).

Now let’s look at the pretense for the hidden tear ransomware:

While I was researching about ransomwares, all I can see that lots of fancy diagrams, assembly codes which are tries to explain how it works. It may be easy to understand who are familiar with assembly. But most of people not, especially the newbies. And there wasn’t any proper source code for a ransomware sample. My first motivation was provide a source code for newbies, students who are trying to understand the process.

Well to start off, yes it is usually is fairly difficult to understand assembly if you don’t know assembly, but why? Why do you need to understand assembly code to understand ransomware? How is giving out the source code going to help people understanding it? Ransomware is so basic that you really can explain it to no coders in less than 500 words:

Ransomware is software which encrypts your computer’s files using the AES-256 encryption algorithm; this algorithm is secure enough that it is used by the US government and cannot be broken easily. Once the files are encrypted, the encryption key is then sent to the ransomware owner and all traces of it are erased from your computer. The only way to recover the key to decrypt your files is by paying the owner to give it back.

From a coders perspective, if you understand how AES is used to encrypt files, you understand how ransomware is used to encrypt files, it’s really not rocket science; which begs the question why does there need to be an open source fully functional piece of ransomware complete with payment method and C&C to explain how basic file encryption works? The answer is: there doesn’t, this was the first open source ransomware for a very good reason.

File Recovery

As the author behind hidden tear and eda2 found out, a vulnerable C&C panel doesn’t ensure recovery. Make no mistake that these aren’t professional cyber-criminals using his open source code, they are bottom tier scriptkiddies who otherwise wouldn’t be able to gather the code required to make even remotely functional ransomware, which is evident by the fact they hosted their C&C server on a free hosting site which had been terminated due to abuse complains before the researcher was able to recover the keys. Doh.

Now it may look like tricking criminals into using backdoored malware is still a great idea, but as is evident by the stories of hidden tear and eda2, nobody is moving to the backdoored ransomware; rather it’s giving new players a taste of the high life with code they aren’t yet able to write, then smacking them back down with backdoored encryption. So what happens next? Do they give up or do they continue trying to fix the backdoored code until they get it right? Well seeming as the developer revealed how and where the ransomware is backdoored, it’s probably the latter.

The final issue here is assuming everything had gone to plan, C&Cs stayed online, all encryption keys were recovered, how many people will get their files back (and for free)? It’s not like you can just call up the victims and tell them they’re infected with probably the only recoverable ransomware and that you have the key for them, most of these people don’t even know what ransomware is. Although I don’t have a fulltime job, I sometimes do incident response based work for a couple of people so I have had multiple encounters with the real world effects of ransomware. Recently I was tasked to help a DFIR guy identify the ransomware used to encrypt a companies files and see if they could recover them. In this case they were lucky, I was able to identify the ransomware and provide them with a list of methods for file recovery as well as confirm that if the worst comes to the worst this ransomware will give their files back if the pay; but, had they not called an incident response firm, what would have happened then?

Conclusion

It’s unrealistic to think that even if the encryption keys are recovered that even 50% of the victims will get their files back for free. It relies on the the victim is first able to identify they’re infected with ransomware based on hidden tear or eda2, then find who to call up to recover their files. I have a hard time identifying most ransomware and I’ve been working with malware for many years now, what hope do the victims have. Essentially the whole scheme is a variant of ‘create the sickness sell the cure’, as it’s ignorant to think the backdoored ransomware is used only by existing groups and not just providing new tools to scriptkiddies.

SIMILAR NEWS

One of the most common questions I’m asked is “what programming language(s) should I learn to get into malware analysis/reverse engineering”, to answer this question I’m going to write about the top 3 languages which I’ve personally found most useful. I’ll focus on native malware (malware which does not require …

Although the majority of botnets still use a basic client-server model, with most relying on HTTP servers to receive commands, many prominent threats now use more advanced infrastructure to evade endpoint blacklisting and be resilient to take-down. In this article I will go through and explain my process of identifying …

Computer Requirements: A CPU with AMD-V or Intel VT-x support (pretty much any modern CPU). 4 GB RAM (more is better). Make sure Virtualization (AMD-V or Intel VT-x) is enabled in the BIOS. To do this, you’ll need to google “enable virtualization” along with your bios or motherboard version, then …